Types of Attacks | Professional Windows Desktop and Server Hardening (Programmer to Programmer)

There are many different types of attacks, including the dedicated manual hacker, automated malware, and blended attacks.

Dedicated Manual Attacker Methodology

The 1983 movie War Games, starring Matthew Broderick, kicked off the world's fascination with computer hacking. Several computer historians point to that single film as launching pad for youth hobbyist hacking. In the movie, Broderick's character, David Lightman, spends his free time war dialing (i.e., serially dialing multiple phone numbers one at a time until an active phone number is found, looking for unsecured modem connections. Along with co-star Ally Sheedy, he ends up infiltrating a military computer and unwittingly almost sets off World War III. It received three Oscar nominations and made stars of the two young protagonists.

Early on, computer hacking often involved war dialing for analog phone connections. That was before the Internet. Now, hackers scan the Internet looking for live Internet hosts and probe them for weaknesses. Here is the conventional methodology of the dedicated manual attacker:

Hacker uses a TCP/IP scanning program to find an active host on the Internet. In the early days, hackers manually and methodically pinged random IP addresses until they found a responding host. Eventually, the earlier phone war dialing programs were converted to look for active IP addresses. Note, this type of reconnaissance requires that the remote host has an IP address and responds to a ping (ICMP Echo Request). As firewalls and routers began to prevent ping responses in order to thwart hackers, hackers started scanning for open TCP or UDP connections instead.
After an active IP address is located, a TCP/IP port scan is done against the remote host. This should reveal any open TCP or UDP connections. If a port is not opened, a TCP connection probe is reset by the remote host or the source IP address is sent a host unreachable ICMP message (if a UDP port is involved). Firewalls (in stealth mode) will block all probes to closed ports from reaching the protected host, forcing the originating prober's computer to wait for a connection timeout.
Depending on the TCP/IP ports found, the hacker can learn what services are running on a particular host. For instance, if port 80 is found, the host is probably running a web server. If port 25 is found, it is probably a SMTP e-mail server. If ports 135, 137, 139, and 445 are found, the host is probably a Microsoft Windows computer (this is covered in more detail in Chapter 2).
Once the TCP/IP ports are identified, the hacker will begin to fingerprint the host and its services. The hacker can manually connect to each found open port or use an automated fingerprinting tool. Many times, simply connecting to a port will reveal the service and its version number. Popular fingerprinting tools, such as Nmap (www.insecure.org/nmap) or Xprobe2 (http://xprobe.sourceforge.net), can be used to identify the operating system. Identifying the operating system helps identify the associated applications. For instance, IIS 6 only runs on Windows Server 2003. IIS 5 runs on Windows 2000, IIS 5.1 only runs on Windows XP, and IIS 4 only runs on Windows NT 4.0.
Once a service and its version are identified, a hacker can begin to attempt exploits built for just that particular software version. For example, if the hacker found IIS 5.0, he could search the Internet for all the IIS 5.0 exploits available. Several web sites allow this type of research, including Secunia (www.secunia.com). Currently, Secunia shows 11 IIS 5 vulnerabilities (http://www.secunia.com/product/39). If the software is fully patched, then the hacker must exploit a misconfiguration or host application error. Apparently, these are not hard to find. According to a November 2004 Gartner Research report (www.g2r.com/DisplayDocument?doc_cd=124806), "two out of three successful attacks exploit misconfigurations rather than vulnerabilities or missing patches."
Finally, the attacker manually hacks his way into the remote computer.

What happens at this point depends on the hacker. If the hacker isn't logged in as an administrator, a privilege-escalation attack may be attempted. Most of the time, hackers spends their next few minutes making sure they can easily break back in when needed. They may set up a new backdoor program, create a new user account, or set up a new malicious listening program. Many times, hackers then close the hole that allowed them to break in. Surprising as it may be, sometimes the first sign that network administrators receive that they've been hacked is that their systems are fully patched. This was especially notable when many network administrators held off on applying Windows XP Professional's Service Pack 2 (SP2) because of incompatibility issues. They were surprised to find SP2 installed even after they had specifically configured Windows not to install it. It was their complaint to Microsoft about the service pack installing even when requested that it not be that led to the malicious hacker being discovered. I always think it is sad when the hacker does the patching before the administrator.

A fast-growing percentage of professional hackers will inspect the hacked PC to determine whether there is any valuable information to compromise. Often this means they look for credit card or financial information. The hacker may install other malware programs to do keystroke logging or remote control. Before professional hacking became popular, the hobbyist hacker would often use the newly exploited computer as a repository for illegally copied games and videos. Other hackers would set up remote control trojans and start to attack other computers on the Internet. Then, if the secondary hack gets discovered, the evidence trail stops at the intermediary hacked computer instead of at the hacker's true location.

When doing forensic analysis on a hacking crime, two things need to be looked for:

How did the hacker or malware initially break in?
What did the hacker or malware do after the initial compromise?

The first question will help you prevent future occurrences of the same hack; the latter will help you understand why a particular computer was hacked. Unless the hacker has an interest in a particular company, the found victim computer was probably randomly selected. I don't mean to imply that a dedicated hacker isn't ever trying to attack a particular company. Interesting entities such as NASA, popular web sites, and Fortune 1000 company web sites receive dedicated hacker traffic each day. But most companies aren't being especially targeted by the dedicated hacker, or if they are, it is only by raw luck of the draw. More often, hackers use automated, roving malware to find and exploit vulnerable hosts.

Types of Hackers

Hackers don't come in just one flavor. The vast majority of hackers are called script kiddies. These are individuals whose enthusiasm for hacking far outweighs their own hacking abilities. Rarely can they do dedicated manual hacking, keystroke by keystroke. More often they download hacking utilities, tools, and scripts that automate the entire process for them. They just plug in an IP address, and the tool does the rest of the work.

Don't Run with Knives

Here's a humorous story. In May 2005, I hosted an IIS hacking contest at www.hackiis6.com. It was hugely successfully, withstanding up to 250,000 hack attempts and probes per second during the contest. Few of the attacks were interesting. Most attacks came from automated attack tools used by script kiddies. What surprised me was how many of the attacks were meant for Apache web servers — the attacks would never be successful against Microsoft IIS servers. I never knew whether the hackers thought maybe I was kidding when I said it was an IIS server or if they just fired off the only web site hacking tool they could find. Even funnier was another strange story of sweet revenge. One of the popular security mailing lists where budding hackers like to lurk was discussing how to hack my contest site. A participant uploaded a script that he said was sure to hack my web site. Even though the script was written in Shell script (a Unix/Linux scripting language), which is not my specialty, I was able to determine that the 13-line script did not attack my web site. Instead it sent the root password of the user who executed it to the script's creator. With a bare minimum of programming knowledge, they could have easily seen that it had nothing to do with my web site and was only grabbing their password and sending it to a remote person. Instead dozens of hacker wanna-bees executed the script. There were even days of e-mails from the script kiddies asking why the script didn't hack my IIS web site even though they were executing it over and over. A few claimed it worked. Too funny!

Although script kiddies aren't very knowledgeable, they probably accomplish most of the hacking that you hear about. They don't need to be experts; the knowledge is built into the tool they are using. They usually aren't very good at covering their tracks and can usually be caught with a minimum of forensic investigation.

Unfortunately, a smaller subset of hackers are knowledgeable attackers. They can use and modify a plethora of different hacking tools to accomplish their task at hand, following steps that somewhat mimic the manual dedicated hacker progression listed above. They can switch and modify tools from their defaults to be successful in their compromise pursuit. This type of hacker is persistent and patient. They are smart enough to cover their tracks and can avoid immediate detection. Hackers at this level may write their own malware, but the techniques they use are known. An even smaller subset of dedicated hackers are the master technicians — the überhackers. They develop their own tools and methods for breaking in. Their original malware uses new malware techniques or pushes existing envelopes. They are confident and don't often participate in security mailing lists. If they discover a new hacking hole, they keep it for themselves or sell it to commercial interests. This is the professional hacker and the one defense experts fear most. Although it is difficult to tell how many master hackers there are at any given time, the recent, significant increase in professional computer crime suggests they are on the rise.

Note

Microsoft employee Robert Hensing has written a short guide (http://weblogs.asp.net/robert_hensing/archive/2004/08/09/211383.aspx) discussing the various hacker personas, as he calls them. Robert has spent years on the front lines at Microsoft fighting hackers and discovering new malware and hacking techniques. Although he also summarizes the various hacking skills over three levels, his discussions are more in depth.

Keeping the dedicated manual hacker out of your computing environment is very difficult. You have to be perfect. Every computer attached to the Internet has to be perfectly configured, fully patched, and secured. The patient, dedicated hacker only has to find one hole. But even the dedicated hacker often resorts to using automated malware to speed up the process.

Automated Malware

The more popular attack method is using automated malware. Most automated attacks can be categorized by the three main parent types: virus, worm, and trojan.

Virus

Computer viruses are malicious programs that must rely on other host programs or code to spread. In most cases, the virus inserts itself into a legitimate host program (or boot sector) so that when the host is executed, so is the virus (see Figure 1-2). The smallest working PC-based virus is called Define (http://vil.nai.com/vil/content/v_346.htm). At only 30 bytes, it is the minimalist blueprint of every virus. It finds a host file, adds its own code to the host file (actually, it overwrites the original host file), and closes the file. When the infected host is run, the process repeats. The other 60,000 plus viruses are just more sophisticated versions of the same routine. Some infect boot sectors, others infect program files, and others infect data files (e.g., macro or script viruses). Some infect at the beginning of a file, others at the end, others in the middle, and still others don't infect the original host at all. A small subset of viruses, called companion viruses (aka twins or spawners), rely on operating system tricks to fool users into executing the malicious code first when trying to execute the legitimate host.

image from book
Figure 1-2

Some viruses print messages to the screen, make funny noises, draw graphics, and mess with print jobs. Others cause damage. They format hard drives, erase files, and corrupt data. A computer virus can do anything that is programmatically possible.

The first personal computer virus, the Apple-based Elk Cloner, was written by teenager Richard Skrenta (www.skrenta.com/cloner) in 1982. Early on, only a few viruses came out each year, mostly for the Apple and Amiga platforms. When the IBM PC started becoming the PC of choice, viruses migrated to the new platform. Although Trojan Horse programs (i.e., trojans) had been around longer than viruses, viruses quickly became the malware writer's program of choice. Before the end of the century, there would be over 60,000 different viruses.

Today, computer viruses aren't as prevalent on the Windows platform because Microsoft created a system file protection mechanism known as Windows File Protection (WFP). Ostensibly only created to fight the programming problem known as "DLL hell," WFP will replace any modified, renamed, or deleted Windows system file with a legitimate copy. WFP had the net effect of decreasing the easy spread of computer viruses because when the virus infected a protected file, it was immediately removed.

Along the way, antivirus mechanisms got significantly better at preventing attacks. From 1995 to 2000, macro viruses enjoyed malicious success, but today, Microsoft-enabled programs have, for the most part, defeated the threat. A few years ago, viruses migrated to malicious script files (e.g., VBScript, JavaScript, and HTML applications), but even those threats have been mostly minimized.

Trojans

Trojan programs masquerade to the end user as one type of program (e.g., game, program, etc.), but usually have a hidden malicious agenda. A common trojan ploy is for trojan code to be added to a real, legitimate commercial program. This is often accomplished using a program known as a linker. The compromised legitimate program is offered free on the Internet. Users, looking for pirated software, download the program and install it. The program installs as it normally would and this is all the user sees, but the trojan installs "invisibly" behind the scenes.

The defining characteristic of a trojan is that it does not automatically spread or replicate (as does a worm or virus). In order to spread from computer to computer, it relies on different users downloading and executing it prior to being identified as malware.

Trojans are just starting to get the respect they deserve. Trojans often install keylogging programs, which record everything the user types in, including passwords, bank account numbers, and other confidential information. Once a trojan has successfully compromised a computer, the exploited computer can be redirected to do anything. If the trojan infects the PC and awaits further commands from the originating hacker, it is called a zombie or command and control trojan. For decades, trojans were designed to attack and exploit just the one computer they infected. They would infect the computer and then "dial home" to the hacker and announce their presence. The hacker then would manipulate the single exploited machine. In some cases, the trojan enables the hacker to do anything to the computer that he wants — sort of like a malicious PC Anywhere remote control program. These remote access trojans (or RATs), can record user keystrokes, manipulate files, steal passwords, capture screen shots, and even capture video and sound if the computer is equipped with a working video camera and microphone. The dangerous aspect of a RAT is that even after the malware is gone, the user usually has no idea what the hacker did or learned while the RAT was active. A RAT was the first type of malware program to be able to cause problems well past its removal. Now, multiply that unknown risk by 100,000 or so.

Today, hackers use trojans to compromise as many innocent machines as they can, creating huge networks of compromised machines under the control of a single hacker or group. These botnets can then be used do the bidding of the malicious attacker. The hacker may use the compromised machine to attack other targets. If the secondary target attempts to trace back the attack, it ends at the trojan-controlled machine, and not at the originating hacker's machine. Botnets can be comprised of tens of thousands to over 100,000 computers.

In a few months, Honeynet Project researchers (www.honeynet.org/papers/bots) tracked more than 100 different botnets, some containing over 50,000 compromised machines. Symantec tracked over 30,000 botnets over a six-month period (www.securityfocus.com/infocus/1838). According to Baylor University professor Randal Vaughn, the most popular trojans used to make botnets in 2005 are (in order of popularity) Korgobot, Spybot, Optix Pro, rBot, and other Spybot variants (e.g., AgoBot, PhatBot, SDbots, etc.)

Professional hackers will accumulate as many computers as they can in their botnet and then sell or rent the botnet to the highest bidder. One report (www.securityfocus.com/infocus/1838), says a botnet can be rented for as little as $100 per hour. Spammers and other professional hackers then use the botnets for their own reasons, including distributed denial of service (DDoS) attacks, spreading spam, hosting malicious web sites, spreading other malware, manipulating online games and polls, and participating in identity theft. Several other companies and researchers have estimated that hundreds of thousands of PCs unwittingly become involved in botnets each month. The company CipherTrust, which tracks zombie nets, estimates (www.ciphertrust.com/resources/statistics/zombie.php) that in May 2005, 172,000 new exploited PCs appeared each day. This figure is probably on the high side, but obviously a huge number of PCs are under the control of someone other than their owners. Most of the compromised machines are in the United States or China. Go USA??

Another emerging trojan type is the rootkit. A rootkit malware program spends extra effort to hide itself from casual observers and the dedicated forensic inspector. Rootkits use stealth-like mechanisms to hide any sign or symptom of their infection when inquiring eyes or processes query for their existence. Rootkits used to only be a concern for Linux/Unix administrators, but are now moving into the Windows world. There are several web sites dedicated to Windows rootkits, including www.rootkit.com. Many security experts are concerned because a properly coded rootkit can be very difficult to discover. In theory, since every PC can possibly be compromised with a rootkit, every forensic investigator needs to take a heavy-handed approach when dealing with an exploited PC, even if it's just suspected of being compromised by a normal virus, worm, or trojan. Although rootkits can be more problematic, the author feels that the antivirus and other security defense companies will rise to the challenge, and rootkits will pose no more harm than yesterday's DOS stealth viruses. For example, you can download Sysinternal's RootKitRevealer (www.sysinternals.com/utilities/rootkitrevealer.html) to search for hidden Windows rootkits.

Worms

As common as trojans are, computer worms are even more so. According to several resources, e-mail-based computer worms make up over three-fourths of all attempted attacks against a PC. A worm is a malicious program that does not need to infect a legitimate host program to replicate — it is self-replicating. E-mail worms usually arrive as e-mail attachments pretending to be something legitimate (in that way, they are like trojans). When clicked, they install themselves in such a way as to ensure that they execute when the computer is rebooted (see "Where Malware Hides," below). The worm uses its own coding to spread. Often the worm will look for the infected user's e-mail address book, retrieve potential e-mail addresses, and then send themselves to the new recipients. Early on, e-mail worms used the user's SMTP server to send themselves. Today, most contain their own SMTP sending engines.

Worms don't need e-mail servers to spread. They can spread using any service or program shared among PCs. Internet worms often scan large swathes of public IP addresses looking for computers to exploit. The SQL Slammer worm exploited servers and workstations running Microsoft's SQL software. The MS-Blaster worm exploited the Windows RPC service. Many worms target web servers. The truth is that a worm can target any listening port and service on a computer. These days, when vulnerability exploit details are released, someone is making a worm to exploit more PCs faster. Whereas we used to have a few weeks or months to patch our machines, automated worms have decreased the low-risk period to a few days or less.

When reviewing a malicious mobile code program, it helps to categorize its overall behavior as a worm, virus, or trojan. A worm can replicate on its own and probably hasn't directly infected other legitimate files. A virus has infected other host files, and those will need to be cleaned up or replaced. A trojan isn't as hard to remove, but what its controlling hacker did while the trojan was in control of the PC is usually unknown. Today, like most e-mail worms, many malware attacks borrow techniques from multiple parent classes. These hybrids, although not new, are becoming more and more common.

Remote

Remote attacks, which successfully compromise a computer without the end user being involved or making a mistake, concern security analysts the most. The idea that a remote attacker can connect to an innocent remote PC and compromise it is a compelling issue. Common remote attacks include denial-of-service, buffer overflows, misconfigurations, sniffing, and man-in-the middle attacks.

Denial of Service

Sometimes a computer doesn't have to be exploited or modified to be maligned. A denial-of-service (DoS) attack causes a listening port or service on a remote computer to become hung and unusable by legitimate users until it is restarted. Hackers have used botnets for years to bring some of the world's most popular web sites down, including eTrade, eBay, Microsoft, and popular gambling web sites. Denial-of-service attacks work by sending a listening service too much fake traffic or something it is not coded to expect, causing the program to crash or go into an endless loop. For example, an attacker using a large botnet can send millions of packets per second to a single web site, overwhelming it, and making it unavailable to legitimate users. Steve Gibson of Gibson Research Corporation has one of the best accounts of an extended DoS attack (http://grc.com/dos/grcdos.htm). His company was held hostage by a 13-year-old kid offended by a quote that was misattributed to Steve. It's a great story full of technical detail, if you have time to read it.

Other types of DoS attacks malform network packets to accomplish their task. For instance, a LAND attack, which recently reappeared to successfully compromise Windows XP and Server 2003 (www.eweek.com/article2/0,1759,1773958,00.asp) for a few months, sends packets with identical origination and destination IP addresses and port numbers to hosts. The destination host receives the packet and attempts to respond to the bogus origination host, but ends up in an endless loop responding to itself. The scary thing about DoS attacks is that the Internet's primary protocol (IP version 4) is pretty much useless to prevent them. Many web sites have been down for days while fighting DoS attacks, finding and shutting down remote connections from DoS bots one-by-one to filter out the illegitimate traffic from the legitimate.

Buffer Overflow

The most common type of remote exploit is accomplished using a buffer overflow. A buffer overflow attack sends more information to a receiving program than the receiving program is prepared to accept. The receiving program incorrectly accepts the overly large data sent its way and inadvertently places the rogue data (which is composed of malicious machine-language commands) into executable memory where it is subsequently executed as program code by the CPU.

A buffer overflow can simply result in a DoS attack or result in a complete system compromise. If the buffer overflow attack results in a complete system compromise, the attacker gets logged into the remote system in the security context in which the remote service was executing. Unfortunately, most Windows services run in the LocalSystem context, which gives the hacker absolute control of the PC. Buffer overflows always occur because the program and/or the programming language did not control the inputted size of the data being submitted (as they should).

Related to the buffer overflow attack are invalid data injection attacks, where applications are sent malformed data that then tricks the application into executing commands instead of the intended normal database actions. SQL injection attacks are the most popular of these attacks, but they occur with PHP, CGI, and dozens of other programs and languages. Injection attacks can only be fixed with program patch updates and better program coding that checks for these malware data types. Drastic changes are being made to Windows and to the supporting computer chips to prevent buffer overflows. Windows XP and Windows Server 2003 have undergone extreme code review cycles (several rounds of manual and automated review) to prevent buffer overflows. Still, patches fixing Windows buffer overflows occur at least every few months.

Misconfiguration Weaknesses

Contrary to popular belief, it isn't only unpatched software that gets exploited. Dedicated attackers (and penetration testers) often exploit machines through configuration errors induced by the computer administrator, programmer, or application program.

The author of this book regularly sees the following misconfigurations on remote computers:

The Everyone group has Full Control permissions to all files and folders on a file server.
The null session Anonymous user credential is given Full Control permissions to all files and folders on a domain controller.
The IIS Anonymous user account is given Full Control permissions to all files and folders on an Internet-facing PC.

Computers and computer programs are complex, and complexity is the enemy of security. Most computer administrators are overworked and undertrained. Security is just one part of their job. Getting the computer up and getting the applications working for the end user is job number one. In their rush to satisfy multiple user requests, it is easy to see how administrators could misconfigure a computer. All it takes is answering yes to one unknown message box and Windows will do the rest. Misconfiguration errors can only be resolved by better training, configuration management, more secure software defaults, and configuration reviews.

Sniffing

Network protocol analyzer programs (i.e., sniffers) capture network packets crossing through their network interface card. By default, most network interface cards will drop network traffic not intended for them. A sniffer modifies the network interface card's network protocol stack so that the sniffer program can capture every packet that the card sees (called promiscuous mode). An attacker using a sniffer can capture anything that passes along the network in unencrypted form, including passwords and confidential information. Sniffing attacks were much more common in the early days of local area networks, where Ethernet hubs passed all information headed to and from any host on the hub to all other hubs. Ethernet switches replaced dumb hubs starting in around 1995. An Ethernet switch, by default, allows each connected PC to see only the traffic headed to and from it (plus broadcasts). This effectively killed the eavesdropping sniffer for about 15 years as a popular means of attack.

Today's proliferation of unprotected wireless local area networks (WLANs) has lead to a huge resurgence in wireless sniffing attacks. A remote attacker, listening in with a portable and small computing device, can listen in on any unprotected wireless network. Unfortunately, even the first popular wireless encryption protocol (Wired Equivalent Privacy) wasn't all that secure. Today, anyone can walk around and find dozens to hundreds of hackable wireless networks, which they can then exploit to capture confidential information, steal free bandwidth access, or inject malicious code.

A more sophisticated form of the sniffing attack is a man-in-the middle (MitM) attack. After establishing an eavesdropping session between two hosts, a MitM attacker can forge his identity to appear as the other host to each participating host. The MitM hacker can then capture information, or even more dangerous, manipulate the communication session to change the data sent between sender and receiver (without either innocent party being aware of the change). There have been some scary MitM attack demonstrations. The hacker program Cain & Able (www.oxid.it/cain.html) allows MitM attacks to be carried out with a few clicks of the mouse. Using the tool, an attacker puts the program into sniffing mode and captures the IP and MAC addresses of the machines it can listen to. Then, by simply clicking the mouse a few times, the Cain & Able user can initiate a MitM session. I've seen Cain & Able used to successfully intervene in SSL and RDP encrypted sessions. To prevent MitM attacks, the two hosts (or their programs) must use some sort of session authentication protection (e.g., IPSec, asymmetric cryptography, etc.).

Other Types of Attacks

Other types of attacks include physical, insider, obscurity, directory transversal, password cracking, social engineering, adware, spyware, spam, phishing, and pharming.

Physical

It's important in any computer security defense plan to consider physical security. If attackers have physical access to a computer, they can do anything to it. They can install hardware keyloggers, steal files, crack passwords, and just about anything else they want to do. They can steal the PC or set it on fire. Physical security is covered in Chapter 2.

Insider

Many surveys claim that trusted insiders account for 70–80% of all corporate computer crime. It makes sense that a trusted authorized employee, with intimate knowledge of a particular computer, has a strong chance of compromising that system, compared to the unknowledgeable outsider. But according to a May 2005 report prepared for the Secret Service (www.secretservice.gov/ntac/its_report_050516.pdf), insiders account for only 29% of all successful intrusions. Current, former, and contract employees were the most common insiders to commit a computer crime. In 62% of cases, a negative work-related event trigged the crime. In 82% of cases, the individual "acted in a concerning manner in the workplace prior to carrying out the crime." More than a third of them had already been arrested for other crimes. When hired, most had authorized, highly privileged access, but less than half did at the time of the crime. The majority of them used remote access to gain access to an unauthorized account, created a backdoor, and then launched a malicious attack. What does this say? A disgruntled employee or contractor is responsible for most insider attacks. Your security policy should take these statistics into account.

Obscurity

Many attacks work by fooling users or their programs into believing they are headed to a legitimate web site or network location, but instead redirect them to a malicious location. Obscurity attacks also used to fool computer security defenses. The simplest obscurity attack might be a user receiving an e-mail directing her to www.microsoft.com.site.com/downloads to download a proposed Microsoft patch. Those of us who understand URLs understand that the example URL would direct the user to a computer located on site.com, not www.microsoft.com. But most end users don't know the details of how URLs work and would probably be fooled. Typical obscurity attacks are even cleverer than the simple example. Usually the e-mail would be full of legitimate official links, and the site.com portion of the URL would be an IP address or a hexadecimal encoded (or decimal dot notation) location instead.

Obscurity attacks fool even the most secure of devices. Frequently, content and links that would normally not be allowed are passed through computer security defenses only to be converted into their legitimate locations on the computer endpoint. This is because many Internet standards require that inspection devices, computers, and browsers be able to take instructions and commands in many forms besides the normal ASCII form. This leads to inherent conversion problems of which the hackers take advantage. These types of attacks can be difficult in the short term to defeat, as hackers have been ingenious in creating ways to bypass the created defenses. For example, in 2005, there have been several obscurity attacks against many of the common Internet browsers. Browser developers responded by developing special tools that would alert the user when the presented URL did not match the web site to which they were being redirected. Enterprising hackers coded their malicious web pages to post "messages" that looked like the user's normal screen over the resulting warning messages. Very tricky indeed.

Directory Transversal

Directory transversal attacks are similar to obscurity attacks in that they attempt to use an obscure or encoded representation of a directory path in order to access a directory location or file to which they would normally not have access. For example, an older (now patched) attack, http://hostdomain/../../../../../../../windows/system32/cmd.exe?/c+dir+c will be converted to c:\windows\system32\cmd.exe. In unpatched versions of IIS 5, it would allow a remote attacker to have command line shell access to the web server even though IIS is specifically coded to prevented anonymous access to that location. All of the popular web servers and web browsers, and many computer security devices, are susceptible to these types of attacks. The vendors close up one hole only to have another discovered a few months later. The defenses against these types of attacks will be covered in chapters 10 and 12.

Password Cracking

If an attacker can gain physical access to a Windows computer in its default configuration, its password database is very susceptible to attack. Remotely, an attacker is usually forced to guess at user logon names and passwords to be successful. Unfortunately, most networks are full of many weak passwords that are easy to guess. Chapter 4 will cover password cracking thoroughly.

Social Engineering

Sometimes the easiest hack isn't a hack at all. The world's most controversial and popular culture hackers have all been masters of social engineering. Instead of using a malware program or trying to manually break into a system, they just ask for the necessary information. Most people's overly helpful nature leads to an unnatural trust that social engineering hackers exploit. Social engineering doesn't always require elaborate ruses. Frequently, company receptionists are called by external hackers claiming to work for the telephone company. They ask the helpful receptionist for an outside line to help troubleshoot a problem. The hacker then makes free long-distance calls at his leisure. Often, when I've been hired to do penetration testing, I'll walk up to the CEO's assistant and explain that I've been hired to do penetration testing, including password strength testing. I then ask for the CEO's password to test it. I've never not gotten the password. The only defense against social engineering is good computer security policies and employee training.

Adware, Spyware, Spam, Phishing, and Pharming

Spammers and mischievous advertisers are making the virus, worm, and trojan problem of the past two decades seem like child's play. Spam e-mail is more common on the Internet than legitimate e-mail. An unprotected, unpatched PC will often have dozens to hundreds of installed adware, spyware programs and tracking cookies after a few days of surfing the web. Some "free" software programs install hundreds of malicious programs that the user is unaware of as a cost of using the free program. Adware and pharming attempt to direct the user to a predefined location instead of where the user intended to go in order to sell a product. Adware usually does this by modifying the user's browser configuration or DNS client information (see "Where Malware Hides," below). Pharming (http://en.wikipedia.org/wiki/Pharming) tricks DNS servers or clients into having fraudulent information in order to misdirect end users. Pharming attackers are interested in either Adware-like activities or stealing the user's identity. Phishing attacks send malicious, but legitimate-looking, e-mails to users asking them to re-verify their credit card information. Phishing e-mails look quite realistic, even often reminding users not to be fooled by phony phishing e-mails at the same time as they scam the user.

Spyware attempts to capture a user's personal information in order to sell the information to dubious vendors or criminals.

All five types of attacks previously mentioned are on the rise, despite increased legislation and better computer defense tools. They install themselves in elaborate, multi-angled attacks, which make it difficult to remove. They have software installers that install other software installers that install dozens of programs, each from multiple, moving malicious web sites. Trying to track down who is spreading the spam, spyware, or phishing attack is one of the most difficult computer forensic challenges possible. It takes massive coordination of several networks and security administrators to capture a single bad guy.

Note

Read the multi-part SANS Handler's Diary article, "Follow the Bouncing Malware" (http://isc.sans.org/diary.php?date=2004-07-23&isc=00ee9070d060393ec1a20ebfef2b48b7), to get a better understanding of how difficult the task can be.

Malware Trends

There are three major trends in malware today. Attacks are becoming more:

Professional, with criminal intent
Blended
Self-updating

This means the attacks are getting more sophisticated, more secretive, and more likely to cause financial harm. The single biggest change in malware during 2005 was the evolution of malware from a teenage hacker's hobby to a professional criminal enterprise. Almost all the malware released in 2005 attempts to steal personal or financial information. Symantec's Internet Security Threat Report VIII (http://enterprisesecurity.symantec.com/content.cfm?articleid=1539) reported that 74% of the most popular malware programs monitored in 2005 had the ability to steal information. This is a tremendous change from the past, when most malware programs were created for bragging rights or to upload pirated software. The use of malware programs to commit computer crime is so prevalent that a new malware classification, crimeware, has been coined to accurately state the intent.

Second, attacks are often are blended to include automated portions directed by a dedicated attacker. What starts out as a trojan ends up writing a worm that "drops" a virus. The virus downloads a spam bot, and the cycle continues. Lastly, many viruses and worms are pulled from one or more centralized (often illegally compromised) web sites. Once these malicious web sites are recognized, the owning ISP can be identified and they can shut down the web site.

Today, the malware searches for victim web sites to compromise. Then a worm from the first compromised web site starts to infect client machines. The subsequently infected client machines reconnect to the original mothership malware web site and download new malware. The new malware instructs the client to connect to another malicious web site, where it downloads a new malware program, and so on. Using this method, the malware mothership web site is always changing. By the time authorities shut down one malicious web site, a hundred more are compromised. And the code downloaded from each malware web site changes with each version, so the malware is self-updating. The originating hacker can drop off new malware programs with different infection and damage routines anytime they want to.

Even with all the attack types mentioned previously, we are just discussing the tip of the iceberg. There are literally hundreds of attack types and more than 100,000 different malware programs. Malware is as varied as real programs. Rogue programs are becoming more complex, and will follow technology wherever it goes. Today, malicious e-mail attachments and embedded links are the most popular malicious code types. In the future, wireless worms or rogue XML code will probably take center stage. It is doubtful that we will ever see a complete defeat of malware and a completely safe computing environment. There may be more than 100,000 programs, but they use the same few dozen compromise methods.